Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Osx.Trojan.Mughthesec

From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 15 Aug 2017 15:20:31 +0000
Sorry for the noise. The sample is available on the referenced site. However, I did not have the opportunity to 
experiment and generate a pcap.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALAWARE-CNC Osx.Trojan.Mughthesec oubound connection 
attempt"; flow:to_server,established; content:"/DmFybQ=="; fast_pattern:only; http_uri; 
pcre:"/\/screens\/(precheck|progress|complete)\/DmFybQ\x3d\x3d/U"; metadata:ruleset community, service http; 
reference:url,objective-see.com/blog/blog_0x20.html; classtype:trojan-activity; sid:1100009; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: